What we know about Copy Fail (CVE-2026-31431)

Copy Fail (CVE-2026-31431) is a newly discovered zero-day vulnerability in the Linux kernel that enables local privilege escalation (LPE) on almost all Linux distributions since 2017, allowing authenticated users to gain root access. The vulnerability, disclosed by Theori, involves a logic flaw in the kernel's crypto API and can be exploited using a 732-byte Python script, affecting major distributions such as Ubuntu, Amazon Linux, RHEL, and SUSE. The significance of Copy Fail lies in how it was discovered, using Theori's AI system, Xint Code, which identified the bug in about an hour. This development highlights a shift in the vulnerability discovery landscape, where AI tools can now rapidly uncover deep logic flaws, challenging traditional security assumptions about the rarity and cost of such findings. The vulnerability underscores the need for robust validation infrastructures and coordinated disclosure mechanisms to handle an increasing volume of credible security reports. It also questions the adequacy of container-based security models, particularly in shared-kernel environments, and suggests that defenders should adopt more stringent isolation measures, such as microVMs or dedicated hosts, to mitigate risks.